The GUP talks to the hosted SEPM the same as any other SEP client in the estate. This typically just involves:
- Create MSL with the SEPM's externally accessible IP and/or name
- Ensure this MSL is in the deplyed client packages
- Make sure the routing, name resolution, and ports work from all clients (including the GUPs) to the SEPM's external address
- Make sure the routing, name resolution, and ports work from the clients to the GUP(s)
- Use hostnames or internal IP addresses in the LU Policy to define the GUPs
Obviously, it's recommended to enable and use HTTPS comms on this external SEPM, and to lock down console access.
Essentially, there's nothing really different in hosting a SEPM externally to having it placed inside your network. The client heartbeats all use their sylink.xml files to determine how they should contact the SEPM (name/IP address/etc), and after that it's just making sure the client can resolve the name, and route to the IP address over the port defined. Nothing special is required for the GUPs either, as they grab defs from the SEPM over the same heartbeat port, and the GUP port is used between the other SEP clients and the GUP, which is usually internal to your network.